Simple Steps to Meet PCI DSS 4.0 Compliance: Discover and Protect Payment and Cardholder Data

Meeting PCI DSS compliance is a rigorous and lengthy process. Organizations must identify all locations and workflows that contain cardholder data and analyze potential gaps in information security programs. In addition, they must also evaluate security infrastructure, policies and procedures, and test all new security controls.

While PCI DSS compliance is well known, the transition to the latest version of the standard, PCI DSS 4.0, can be overwhelming given the timeline to enforcement is fast approaching on March 31st, 2025. The new requirements may call for modifications or changes to existing security and infrastructure systems.

The Path to PCI DSS 4.0

Once you understand the new PCI DSS 4.0 requirements, align all internal and external stakeholders and conduct a readiness assessment. Document a plan to identify and tag all payment and cardholder data to protect.

Some key new requirements from PCI DSS 4.0 include:

- Inventory of all cryptographic components, including encryption keys, protocols, Hardware Security Modules, and Key Management Systems.

- Card Holder Data (CHD) must be encrypted at the file level on disk or at the field level in the database.

- All but the last four digits of the Primary Account Number (PAN) must be masked. The PAN must be hashed using a keyed hash operation (e.g., HMAC, CMAC).

While eventually you will be clear on what needs to be done, the path to getting there may not be too straightforward. Meeting those new security controls may require evaluation of existing systems to ensure continuous discovery and protection of PCI data.

Manually discovering sensitive data for encryption only perpetuates non-compliance given the rapid growth in data volume and the velocity at which data is changing. Automating discovery and encryption of PCI data using the latest technology providers reduces overall OPEX while minimizing risk of non-compliance.

With data disperse among hybrid environments, siloed, point encryption solutions can increase the risk of cyber vulnerabilities and data exposure, rather than enhancing data security.

Leverage the Right Technology Partners BigID and Fortanix: Better Together

BigID is a data intelligence platform that provides discovery and classification of an organization’s entire data landscape, giving data security personnel an accurate view on the location of all PCI data to protect. Fortanix encrypts, tokenizes, and masks data in structured databases or in unstructured file formats across hybrid multicloud. Policy-based encryption allows for custom, yet consistent, data protection levels based on sensitivity scores provided by BigID.

Big ID Helps You Discover and Classify Exposed Data

Data Discovery

BigID allows you to connect and scan for sensitive, account data across any common data source and data type. Find sensitive data lurking in pdf files, mainframes, databases and commonly used messaging apps, pipelines, big data, NoSQL, Cloud IaaS, SaaS, PaaS, applications, dev environments, and more. Scan unstructured data for account information 95% faster using BigID Hyperscan. Save time and avoid sensitive data blind spots across the cloud with Auto-Discovery.

Data Classification

Combine traditional pattern matching techniques with advanced machine learning and Natural Language Processing (NLP) classification to achieve unparalleled accuracy and scalability in data classification – with account data. Customize and fine-tune classifiers and train them to pinpoint cardholder and authentication data types such as codes, names, and PINs. Label and tag data using a unified ruleset. Build a complete and dynamic sensitive account data inventory with contextual attributes for holistic understanding. Find not only what you need to protect, but also identify and remove redundant, obsolete, trivial (ROT) data to reduce your data footprint, costs, and risk profile.

Active Policy Enforcement

Take action and manage data remediation activity across all your account data. Reduce risk of data vulnerabilities by taking actions such as data deletion, encryption, tokenization, masking, and more. Remediate data your way – centralize management through BigID or decentralize workflows across 3rd party tools and people – across all your data, everywhere. Prioritize, investigate, and automatically kick off remediation in one streamlined process to reduce exposure of account data.

Fortanix Helps You Protect Payment Data Everywhere

• The Fortanix unified data security platform helps you meet your payment and cardholder data security needs. Fortanix helps with:
• Discovery of encryption keys and exposed data services across hybrid environments.
• File system, storage, and database encryption.
• Data Masking and Tokenization with vaultless Format Preserving Encryption.
• Complete encryption key lifecycle management from a single pane of glass for hybrid multicloud.
• Natively integrated FIPS 140-2 Level 3 certified HSM, available on-prem or as SaaS.
• Flexible key metadata management and immutable logs aid with audits and tracking.
• Zero Trust architecture, with granular RBAC and Quorum Approvals.
• Crypto agility with rapid updates to latest NIST-recommended and quantum-proof algorithms.
• Confidential Computing environment to protect data at-rest, in-transit, and in-use.

To learn more about how Fortanix can help you meet PCI DSS 4.0 compliance, check out this ebook.

Conclusion

Achieving PCI DSS 4.0 compliance all starts with knowing what data you have and what data to protect. With BigID, gain a single and accurate view of your crown-jewel data regardless of where it resides – on-prem, multi-cloud, or hybrid environments.

Apply necessary classification, tagging, and actions to protect data based on sensitivity tiering. With Fortanix, automate the appropriate encryption policies to structured and unstructured data discovered by BigID. Together, BigID and Fortanix provide enterprise proven protection for meeting PCI DSS 4.0 compliance.